Setting PHP running as domain owner (CGI or FCGI) has no effect (RESOLVED!)

35 posts / 0 new
Last post
#1 Mon, 11/26/2012 - 16:18
nabab Pro Licensee

Setting PHP running as domain owner (CGI or FCGI) has no effect (RESOLVED!)

Hi,

I cannot create or delete files in my user's public_html directory which is 0750. I can see in WinSCP that it belongs to the very same user and group than the FCGI user (according to the panel).
I tried changing the execution mode to Apache and CGI, and always got the same error message in the log:
mkdir(): Permission denied in /home/atla...

Here's my Apache configuration:

<VirtualHost MY.IP.ADDRESS.IS:80>
SuexecUserGroup "#1013" "#1006"
ServerName atlantica.domain.com
ServerAlias www.atlantica.domain.com
DocumentRoot /home/atlantica.domain.com/public_html
ErrorLog /var/log/virtualmin/atlantica.domain.com_error_log
CustomLog /var/log/virtualmin/atlantica.domain.com_access_log combined
ScriptAlias /cgi-bin/ /home/atlantica.domain.com/cgi-bin/
ScriptAlias /awstats/ /home/atlantica.domain.com/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/atlantica.domain.com/public_html>
Options -Indexes +IncludesNOEXEC +FollowSymLinks +ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/atlantica.domain.com/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/atlantica.domain.com/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/atlantica.domain.com/cgi-bin>
allow from all
</Directory>
<Files awstats.pl>
AuthName "atlantica.domain.com statistics"
AuthType Basic
AuthUserFile /home/atlantica.domain.com/.awstats-htpasswd
require valid-user
</Files>
PerlRequire /etc/webmin/virtualmin-google-analytics/apachemod.pl
PerlOutputFilterHandler Virtualmin::GoogleAnalytics
RemoveHandler .php
RemoveHandler .php5
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
</VirtualHost>

If someone could help that would be great!

Thanks.

SOLUTION:
In /etc/apache2/mods-available/php5_cgi, I had this:


# This file replaces old system MIME types and sets them only in the
# Apache webserver

# application/x-httpd-php phtml pht php
# application/x-httpd-php3 php3
# application/x-httpd-php4 php4
# application/x-httpd-php5 php

SetHandler application/x-httpd-php

# application/x-httpd-php-source phps

SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Order Deny,Allow
Deny from all

# Deny access to files without filename (e.g. '.php')

Order Deny,Allow
Deny from all

# To enable PHP CGI site-wide, just uncomment following lines, however
# as a security measure, it's recommended to enable PHP just in the
# specific virtual servers or just specific directories

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#
#Action application/x-httpd-php /cgi-bin/php5

Once I commented the 2 lines SetHandler application/x-httpd-php, the issue was fixed :)

Mon, 11/26/2012 - 16:59
Locutus

How exactly and as which user are you trying to create the directory?

Mon, 11/26/2012 - 17:04 (Reply to #2)
nabab Pro Licensee

Through <?php mkdir('mydir'); ?> public_html belongs to user 1013, part of the same name's group 1006, which is the same user and group as seen in Virtualmin > atlantica.domain.com > Configure Website > User and Group

Mon, 11/26/2012 - 17:45
Locutus

Can you double-check that the PHP script is executed in FCGId mode? Otherwise, if it's executed through Apache's mod_php, the webserver has no write permission on the public_html.

Mon, 11/26/2012 - 18:13
nabab Pro Licensee

Triple-checked

In Virtualmin interface > Server configuration > Website options:
Run CGI scripts as domain owner? YES
PHP script execution mode FCGId

Tue, 11/27/2012 - 00:05
andreychek

Howdy,

What if you log into your server as the Virtual Server owner over SSH or FTP -- can you create a directory within the public_html folder?

I know you said public_html was owned by that user, this is just a troubleshooting step in case something weird is going on :-)

Also, you mentioned that your PHP script is using this:

mkdir('mydir')

Is that an absolute, or relative path?

Just to rule out some sort of relative path confusion, I'd suggest using a full absolute path there. Ie, something like this:

mkdir('/home/atlantica.domain.com/public_html/foo')

Does that make any difference?

-Eric

Tue, 11/27/2012 - 06:36 (Reply to #6)
nabab Pro Licensee

Hi Eric, and thanks for your answer.

Actually, although Virtualmin tells me that PHP will be executed as FCGI on this domain, I tried my script after changing the CHMOD to 0777. It worked, the directory got created, but... owned by www-data!

So actually my question is now different: what can prevent on a system to enable the FCGI (or CGI) setting in Virtualmin? (actually I can enable it, it just has no effect)

Thanks!

Tue, 11/27/2012 - 07:11
Locutus

Hmm, if I recall correctly, there was some issue with FCGId setup a number of Virtualmin versions back. Something had to be changed in an Apache config file for FCGId to become effective. I'll dig a bit and report back.

EDIT: Check out your file /etc/apache2/mods-available/php5.conf. The SetHandler directives in there need to be commented out with a "#" character. If they are not, PHP will be served by mod_php and not FCGId, no matter what you configure in Virtualmin.

Tue, 11/27/2012 - 07:32 (Reply to #8)
nabab Pro Licensee

Thanks for your answer!

This is the content of php5.conf. SetHandler was already commented... :(

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
# SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
# SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Order Deny,Allow
Deny from all

Tue, 11/27/2012 - 08:25
andreychek

As a troubleshooting step, you could always try disabling mod_php in Apache.

To do that, you can run:

a2dismod php5

And then restart Apache:

/etc/init.d/apache2 restart

Later, to re-enable it (if you need it), you can run:

a2enmod php5

I'm curious if disabling mod_php allows the script to run normally.

-Eric

Tue, 11/27/2012 - 08:45 (Reply to #10)
nabab Pro Licensee

Just tried it, I get to download the PHP file!

Tue, 02/26/2013 - 12:23 (Reply to #11)
miniorb

OMG.

You sir are made of gold.

After a system upgrade, my PHP module got re-enabled and the entire beautiful suexec setup died.

Disabling mod php brought the system back to its safe world again. No more ugly temp 777 hacks.

Am now happily running 755 on directories and 644 on files. \o/

Thank you very much!

Tue, 11/27/2012 - 08:50
nabab Pro Licensee

I just updated the Apache config in the question. Can anyone check if there's nothing abnormal?

Tue, 11/27/2012 - 08:53
Locutus

That sounds like it is completely ignoring the handler settings in the VirtualHost configuration. Are you seeing any errors in Apache's error log?

Tue, 11/27/2012 - 09:39 (Reply to #14)
nabab Pro Licensee

No error in Apache log. Only when I try to create the directory without the adequate permissions.

Tue, 11/27/2012 - 09:32
andreychek

Also, out of curiosity, do you have the same problem when using "CGI" mode rather than FCGID?

And is there by chance a .htaccess file in either "/home/atlantica.domain.com" or "/home/atlantica.domain.com/public_html"?

If so, you may want to temporarily remove it, as the contents of a .htaccess file could override PHP execution settings such as this.

-Eric

Tue, 11/27/2012 - 09:41 (Reply to #16)
nabab Pro Licensee

I have the exact same problem with CGI.

I deleted the .htaccess (which just contained Rewrite directives) and nothing changed (the dir is created by www-data).

Tue, 11/27/2012 - 14:01
Locutus

Very odd. I have no explanation for that without taking a look at things myself. Only quick (but undesirable due to effects on security) fix I can see is turning mod_php back on, switching the site to use it, and change the permissions of public_html to 770.

Wed, 11/28/2012 - 07:57
nabab Pro Licensee

Now I have updated to 0.96, the new version, which states:

"The following new features are available in Virtualmin 3.96.gpl ..

PHP and symlink security fixes For virtual servers using CGI or fcgid mode for executing PHP, mod_php mode is now forcibly disabled to prevent potential security issues. This is also done for all domains at installation time. Also, all existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain's directories."

Well, suddenly all my virtual servers executing as FCGId (about 50) have stopped working, and are serving directly the content of the PHP file! I had to manually change them to mod_php, which will bring ownership problems. I really need to resolve this (new) issue...

Wed, 11/28/2012 - 08:14
andreychek

Hmm, well, it sounds like something was already out of the ordinary to begin with, and it's possible the new changes in the Apache are causing that to be even more awry.

The only two changes it would have made to your Apache config are:

  1. It would have added this line:

php_admin_value engine Off

  1. It would have changed the option "FollowSymlinks" to "SymLinksIfOwnerMatch".

You could try changing those back for one of your Virtual Servers to see which is causing the problem you're seeing. However, those shouldn't cause any problems in most circumstances.

-Eric

Wed, 11/28/2012 - 08:18
Hoanne

Same problem over here after the update to Virtualmin 3.96.gpl.

All www.domain.com/phpmyadmin and www.domain.com/webmail sites running on fcgid are down. The www.domain.com works well over here.

For virtual servers using CGI or fcgid mode for executing PHP, mod_php mode is now forcibly disabled to prevent potential security issues.

How can we turn this(feature?) back to the old situation ?

Wed, 11/28/2012 - 08:29
nabab Pro Licensee

Well, this line "php_admin_value engine Off" was added only for port 80, not 443, and removing it got rid of the problem...

Wed, 11/28/2012 - 10:30
nabab Pro Licensee

There's a problem in the update: it is generally adding a line in server's Apache config file "php_admin_value engine Off" for all the servers using FGCI (and CGI I believe too), and is doing so indistinctly for SSL and non-SSL configs. But during the update process, only the non-SSL servers have been updated (while both are when you change it manually).

So, back to my issue, which have been expanding with the update...

So far, changing the PHP execution mode in Virtualmin seemed to work in Virtualmin but had no effect on the execution, and I think it's still the case. I can change the value to CGI or FCGI, running as the server's owner or not, my PHP script has no writing permission and creates files (in a 0777 directory!) as www-data.

However now, each time the line "php_admin_value engine Off" is added, my server stops working and serves the raw PHP files!

The Apache config files are correctly changed when the exec mode is changed in Virtualmin, and it has definitely an effect as my server stops working, but it's like if another config using Apache handler was overriding somewhere. I grep-ed for "addhandler" the etc/Apache2 folder without finding anything unexpected.

This install has gone through a few versions of Webmin/Virtualmin perfectly, and I have this problem since recently. I am wondering if it couldn't come from my servers' templates, but I must admit I'm a bit lost...

Thanks for your help!

Wed, 11/28/2012 - 22:14
andreychek

Howdy,

I was just typing out a response to your last post, when I realized you figured out what was causing that.

Thanks for letting us know how you fixed it!

We can look into your fix, and figure out how to prevent problems like that in the future.

Which distro/version is it that you're using?

The one I'm using doesn't have the file "/etc/apache2/mods-available/php5_cgi" in it.

Thanks!

-Eric

Wed, 11/28/2012 - 22:30
nabab Pro Licensee

Thanks, I use Ubuntu 12.04 LTS with the latest VM/WM versions

Thu, 11/29/2012 - 06:18
Locutus

I use the same OS, haven't updated to Vmin 3.96 yet though.

I'm a bit confused about all the information in this thread. ;) @nabab, could you maybe sum up what exactly solved your initial problem, and how that had to do with the PHP related problems of the latest update?

Thu, 11/29/2012 - 06:55
nabab Pro Licensee

Ok, so 2 things here:

  • One problem was specific to my install and was there before the update: the correct execution as FCGI. This has been fixed by removing these 2 lines SetHandler application/x-httpd-php in /etc/apache2/mods-available/php5_cgi.conf

  • The other problem appeared after the update (downloading PHP files sources instead of them being served), and was (temporary) fixed by removing the lines php_admin_value engine Off

HOWEVER ONCE MY FIRST PROBLEM HAS BEEN FIXED, THE SECOND DISAPPEARED - SO IT WAS NOT A PROBLEM BY ITSELF, BUT IN MY BAD CONFIG. IF YOU GET THE RAW FILES LIKE ME, CHECK ALSO YOUR php5_cfg.conf. DO IT ALSO IF YOU HAVE A PROBLEM WITH THE PERMISSIONS OF YOUR FCGI (FCGI selected in Virtualmin and PHP executed as www-data)

Thu, 11/29/2012 - 07:28
Locutus

Okay, thanks!

(In case there was a misunderstanding: I have no problems myself, was just interested in how you solved it.)

About the SetHandler directives, I'm a bit confused: I had posted that hint, and you replied that SetHandler was already commented out in your config file? Or am I misunderstanding something here?

Thu, 11/29/2012 - 07:30 (Reply to #28)
nabab Pro Licensee

Yes, because I was talking about the individual config files and not php5_cgi.conf. Thanks anyway

Wed, 01/15/2014 - 06:38
borjaevo

Order Deny,Allow Deny from all

Have denied files that match .phtml. Here is the fix:

Order Deny,Allow Deny from all

Mon, 04/07/2014 - 09:27
najib

Doesn't this require suPHP installed if you actually want each virtual server to run as the server owner instead of Apache.

Here's a guide on installing suPHP for VirtualMin:

http://www.tech-and-dev.com/2012/11/installing-suphp-on-centos-with-virt...

Hope it helps.

Regards

Najib

Mon, 04/07/2014 - 10:30 (Reply to #31)
andreychek

Howdy,

Nope, suPHP isn't necessary.

Virtualmin configures suexec to run PHP code as the Virtual Server owner... this is done by default.

The only time PHP code would be run as the Apache user is it the Virtual Server is changed to use mod_php as the PHP Execution Mode. That is set in Server Configuration -> Website Options.

However, FCGID is the default, and that uses suexec (as does CGI).

-Eric

Mon, 04/07/2014 - 11:10 (Reply to #32)
najib

Hi Eric,

Theoretically, you're right, and what you said makes perfect sense.

In reality it didn't work as its supposed to. Background - I installed virtualmin install script on a CentOS minimal, and virtualmin did all the settings all by itself - automagically. I didn't tamper with the files, so that it does what it's supposed to. I updated from virtualmin interface when it wanted one.

I have tried both CGI and FCGID because it says "run as virtual server owner" beside both, and both returned "apache" when I shell_exec - whoami. I continued to receive all the permission errors, and no real solution was coming out of my hours of googling.

This only got fixed after I installed suPHP from a guide a few hours ago. Now it's running well-no issues I can see so far, updated my templates and new servers work with suPHP, which is doing its job.

I would still like to find out why it didn't work out of the box as it was supposed to. I am using CentOS, and the solution provided on top of this page doesn't relate to me (or maybe just needs a different path or something).

Regards

Najib

Mon, 04/07/2014 - 12:20 (Reply to #33)
andreychek

Howdy,

A new installation should definitely be configured to use FCGID, while executing whiles as the Virtual Server owner.

The most common reason that wouldn't be the case is when using a third party repository -- packages from third party repositories can override the normal settings configured by Virtualmin.

What output do you receive if you run this command:

php -v

Mon, 04/07/2014 - 12:28
najib

This is what php -v returns:

PHP 5.3.3 (cli) (built: Dec 11 2013 03:29:57) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with the ionCube PHP Loader v4.4.1, Copyright (c) 2002-2013, by ionCube Ltd.